用于记录分享一些有趣的案例

The AWS Enumerator was created for service enumeration and info dumping for investigations of penetration testers during Black-Box testing. The tool is intended to speed up the process of Cloud review in case the security researcher compromised AWS Account Credentials.

Do It Yourself! (DIY) Web Penetration Testing is a guideline in performing security test cases against web applications

A robust framework to benchmark LLMs specifically for penetration testing use-cases, offering a significant leap forward in the security assessment process.

A dataset of 3500 penetration testing cases.

This repository contains the AWS Penetration Testing POST exploitation test cases. If you have more test cases then please add it.

🚀 High-Performance Penetration Testing Framework - Go Implementation with Advanced Algorithms. Features XML bomb detection, intelligent buffer management, and sophisticated edge case testing. 3-5x faster than original with enhanced concurrency and security.

Weevely Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote administration and penetration testing. It provides a ssh-like terminal just dropping a PHP script on the target server, even in restricted environments. The low footprint agent and over 30 modules shape an extensible framework to administrate web accounts and post exploit web servers escalating privileges and moving laterally in the network. Read the Wiki for tutorials and uses cases. The modules feature: Ssh-like terminal Run SQL console pivoting on target Proxy your HTTP traffic pivoting on target Host configurations security auditing Mount target file system locally Conduct network scans pivoting on target File upload and download Spawn reverse and direct TCP shells Bruteforce internal services Manage compressed archives The backdoor agent The remote agent is a small PHP script which can extend its functionality over the network at run-time. The agent code is polymorphic and hardly detectable by AV and the traffic is obfuscated within the HTTP requests. Modules development Weevely also provides python API to develop your own module to implement internal audit, account enumerator, sensitive data scraper, network scanner, make the modules work as a HTTP or SQL client and do a whole lot of other cool stuff.

Web and API penetration testing case study on OWASP Juice Shop

Automated testing project for the Vervane website using Katalon Studio. Covers 27 test cases including navigation, functional, performance, and security testing. Features data-driven tests, Android mobile testing with Appium and Node.js, and penetration testing (XSS, SQL injection, etc.) to ensure site reliability and safety.

📚 Complete practical guide for Kali Linux penetration testing tools with examples, use cases, and ethical guidelines

Implement a graph based RAG (Retrieval Augment Generation) system using Langgraph and Langchain for a cybersecurity / penetration testing use-case.

This project is a practical penetration testing case study demonstrating the exploitation of a known backdoor vulnerability in vsftpd 2.3.4 running on a Metasploitable 2

Comprehensive learning repository for Introduction to CISSP Security Assessment & Testing and Security Operations, featuring notes, labs, cheatsheets, scenarios, case studies, and a certificate of completion. Focuses on security assessment, penetration testing, SOC operations, incident response, and business continuity.

A comprehensive collection of security-focused scripts and tools for Arch Linux systems. This repository provides automated setup and configuration scripts for various security use cases, from privacy protection to ethical penetration testing.

A comprehensive penetration testing toolkit for Flutter applications. Includes SSL pinning bypass techniques, Frida scripts, static/dynamic analysis guides, automated security scanning tools, and real-world case studies. Everything you need to assess Flutter app security on Android & iOS

This is a cheat sheet on how to use some CVEs for penetration testing. Note: don't be retarded and use this on production environments - especially if you don't have permission or have a backup config in case shit hits the fan.

How much is it worth to catch more bugs early in your product release process? Depending on where you are in your release process, you might be writing unit or systems tests. But, you need to run end-to-end tests to prove behavior, and quality engineers require a high degree of skill to write end-to-end tests successfully. What would you say if a single validation engine could help you ensure data integrity, functional integrity, and graphical integrity in your web and mobile applications? And, as a result, catch more bugs earlier in your release process? Catch Bugs or Die Let’s start with the dirty truth: all software has bugs. Your desire to create bug-free code conflicts with the reality that you often lack the tools to uncover all the bugs until someone finds them way late in the product delivery process. Like, say, the customer. surprised 1184889 1280 With all the potential failure modes you design for – and then test against – you begin to realize that not all failure modes are created equal. You might even have your own triage list: Security & penetration Data integrity and consistency Functional integrity and consistency So, where does graphical integrity and consistency fit on your list? For many of your peers, graphical integrity might not even show up on their list. They might consider graphical integrity as managing cosmetic issues. Not a big deal. Lots of us don’t have reliable tools to validate graphical integrity. We rely on our initial unit tests, systems tests, and end-to-end tests to uncover graphical issues – and we think that they’re solved once they’re caught. Realistically, though, any application evolution process introduces changes that can introduce bugs – including graphical bugs. But, who has an automation system to do visual validation with a high degree of accuracy? Tradeoffs In End-to-End Testing Your web and mobile apps behave at several levels. The level that matters to your users, though, happens at the user interface on the browser or the device. Your server code, database code, and UI code turns into this representation of visual elements with some kind of visual cursor that moves across a plane (or keyboard equivalent) to settle on different elements. The end-to-end test exercises all the levels of your code, and you can use it to validate the integrity of your code. code 2434271 1280 So, why don’t people think to run more of these end-to-end tests? You know the answers. First, end-to-end tests run more slowly. Page rendering takes time – your test code needs to manipulate the browser or your mobile app, execute an HTTP request, receive an HTTP response, and render the received HTML, CSS, and JavaScript. Even if you run tests in parallel, they’re slower than unit or system tests. Second, it takes a lot of effort to write good end-to-end tests. Your tests must exercise the application properly. You develop data and logic pre-conditions for each test so it can be run independently of others. And, you build test automation. Third, you need two kinds of automation. You need a controller that allows you to control your app by entering data and clicking buttons in the user interface. And, most importantly, you need a validation engine that can capture your output conditions and match those with the ones a user would expect. You can choose among many controllers for browsers or mobile devices. Still, why do your peers still write code that effectively spot-checks the DOM? Why not use a visual validation engine that can catch more bugs? Visual AI For Code Integrity You have peers who continue to rely on coded assertions to spot-check the DOM. Then you have the 288 of your peers who did something different: they participated in the Applitools Visual AI Rockstar Hackathon. And they got to experience first-hand the value of Visual AI for building and maintaining end-to-end tests. As I wrote previously, we gave participants five different test cases, asked them to write conventional tests for those cases, and then to write test cases using Applitools Visual AI. For each submission, we checked the conditions each test writer covered, as well as the failing output behaviors each test-writer caught. As a refresher, we chose five cases that one might encounter in any application: Comparing two web pages Data-driven verification of a function Sorting a table Testing a bar chart Handling dynamic web content For these test cases, we discovered that the typical engineer writing conventional tests to spot-check the DOM spent the bulk of their time writing assertion code. Unfortunately, the typical spot-check assertions missed failure modes. The typical submission got about 65% coverage. Alternatively, the engineers who wrote the tests that provided the highest coverage spent about 50% more time writing tests. However, when using Visual AI for visual validation, two good things happened. First, everyone spent way less time writing test code. The typical engineer went from 7 hours of coding tests and assertions to about 1.2 hours of coding tests and Visual AI. Second, the average test coverage jumped from 65% to 95%. So, simultaneously, engineers took less time and got more coverage. Visual AI Helps You Catch More Bugs When you find more bugs, more quickly, with less effort, that’s significant to your quality engineering efforts. You’re able to validate data, functional, and graphical by focusing on the end-to-end test cases you run. You spend less time thinking about and maintaining all the assertion code checking the result of each test case. Using Visual AI makes you more effective? How much more effective? Based on the data we reviewed – you catch 45% of your bugs earlier in your release process (and, importantly, before they reach customers). VisualAI Impact 45MoreBugs With Title We have previously written about some of the other benefits that engineers get when using Visual AI, including: 5.8x Faster Test Creation – Authoring new tests is vital especially for new features during a release cycle. Less time authoring means more time managing quality. Read more. 5.9x More Test Code Efficient – Like your team’s feature code, test code efficiency means you write less code, yet provide far more coverage. Sounds impossible, right? It’s not. Read More. 3.8x Improvement In Test Stability – Code-based frameworks rely on brittle locators and labels that break routinely. This maintenance kills your release velocity and reduces coverage. What you need is self-maintaining and self-healing code that eliminates most of the maintenance. It sounds amazing and it is! Read More. By comparing and contrasting the top participants – the prize winners – with the average engineer who participated in the Hackathon, we learned how Visual AI helped the average engineer greatly – and the top engineers become much more efficient. VisualAI Impact VisualAI Impact 45MoreBugs GranPrize Compare With Title The bottom line with Visual AI — you will catch more bugs earlier than you do today. VisualAI Impact 45MoreBugs GranPrize Quote More About The Applitools Visual AI Rockstar Hackathon Applitools ran the Applitools Visual AI Rockstar Hackathon in November 2019. Any engineer could participate, and 3,000 did so from around the world. 288 people actually completed the Hackathon and submitted code. Their submissions became the basis for this article. You can read the full report we wrote: The Impact of Visual AI on Test Automation. In creating the report, we looked at three groups of quality engineers including: All 288 Submitters – This includes any quality engineer that successfully completed the hackathon project. While over 3,000 quality engineers signed-up to participate, this group of 288 people is the foundation for the report and amounted to 3,168 hours, or 80 weeks, or 1.5 years of quality engineering data. Top 100 Winners – To gather the data and engage the community, we created the Visual AI Rockstar Hackathon. The top 100 quality engineers who secured the highest point total for their ability to provide test coverage on all use cases and successfully catch potential bugs won over $40,000 in prizes. Grand Prize Winners – This group of 10 quality engineers scored the highest representing the gold standard of test automation effort. By comparing and contrasting the time, effort, and effectiveness of these groups, we were able to draw some interesting conclusions about the value of Visual AI in speeding test-writing, increasing test coverage, increasing test code stability, and reducing test maintenance costs. What’s Next? You now know five of the core benefits we calculate from engineers who use Visual AI. Spend less time writing tests Write fewer lines of test code Maintain fewer lines of test code Your test code remains much more stable Catch more bugs So, what’s stopping you from trying out Visual AI for your application delivery process? Applitools lets you set up a free Applitools account and start using Visual AI on your own. You can download the white paper and read about how Visual AI improved the efficiency of your peers. And, you can check out the Applitools tutorials to see how Applitools might help your preferred test framework and work with your favorite test programming language.

HIPAA already has many procedures defined which, when followed correctly, will ensure data security. We generally cannot cover everything that needs to be done to safeguard Protected Health Information (PHI). Being HIPAA compliant today doesn't guarantee that you will still be HIPAA compliant tomorrow. HIPAA rules and regulations are changing every day, as technology and security changes. Maintaining HIPAA compliance is an ongoing process and occasionally an external audit of the process or program will help you know your risk areas. Spending a little money now is better than spending a LOT of money in fines later. HIPAA 2018 Changes In this HIPAA session we will be discussing HIPAA 2018 Changes taking place in Washington with the Health and Human Services when it comes to the enforcement of the HIPAA regulations already on the books as well as some step-by-step discussions on the audit method and some current functions regarding HIPAA cases (both in courtrooms and from live audits). Attend this Session Here below are the best ways to safeguard Protected Health Information (PHI) Keep Abreast: Regular training and upgrading of your compliance officers Updating employees knowledge with fully, periodical, updated HIPAA workforce training program Security Policies: Always and at all stages, use multi-level authentication. Read more on Risk based or Adaptive Authentication and use them Access Policies: Fine grained access control should be used to give access and record who can see the data and perform actions HIPAA - Texting & Emailing in 2018 With the introduction of smartphones, emails have become the even more accessible form of communication. In conjunction with email comes the issue of security and them being intercepted and read by unintended persons. Precautions and steps are to be taken at every step of the way. So for a Healthcare concern or a business associate, it's a key to maximize patient communication tools while protecting itself and the organization from government penalties and patient lawsuits. Attend this Session Tracking Logs: Document and audit all actions and functions with immutable time stamps, the audit trails should be immutable and secure from tampering Technical Policies: Use encryption on the data at rest or in database While using a public cloud provider - use HIPAA compliant infrastructure While accessing data ensure using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption Physical Barriers: Physical safeguards should at basic level include limited facility access and control, with authorized access in place HIPAA Privacy Officer: Module 1 HIPAA Privacy Officer Training will uncover all HIPAA and HITECH expectations in protecting patient and member's right to privacy and the confidentiality of Protected Health Information (PHI) as you engage in treatment, payment, and healthcare operations (TPO) services. Attend this Session Business Associate: In case you are a Business Associate, inevitably you will be asked to conduct a security - or risk - assessment by a Covered Entity Technical Safeguard: Technical safeguard required for network, or transmission, security of HIPAA compliant hosts to protect against unauthorized public access of ePHI HIPAA Privacy Officer: Module 2 HIPAA Privacy Officer Training will cover all ongoing activities of a Privacy Program related to the development, implementation, maintenance of, and adherence to the organization's policies and procedures covering the privacy of, and access to, patient health information in compliance with federal and state laws and the healthcare organization's information privacy practices. Attend this Session Perform periodic penetration testing and fix issues and get external audit of the process or program will help you know your risk areas Your HIPAA program must be on - going, reviewed periodically and constantly changing....https://www.complyarena.com/articledetails/Safeguard-Protected-Health-Information-PHI

No description available

Contains projects I completed for classes or curiosity.

Simulated penetration testing case study showcasing OWASP-based methodology, practical security testing using Nmap, Wireshark, and Burp Suite, and a real-world authentication bypass demonstration.

This test cases for VAPT only

Academic penetration-testing case study in a controlled lab environment

No description available

Part of my penetration testing cases.

No description available

Web verb case tampering program for penetration testing

An incomplete suite cases for penetration testing works

Case studies & tools from my penetration testing work